Target Stores security breach just the tip of the iceberg

Target has increased the estimate for the number of customers exposed in the massive hacking attack between Thanksgiving and December 14. It now appears at least 70 million consumers had their credit cards compromised.

Also, Neiman-Marcus announced that they, too, were victims of a cyber attack over Christmas. And in an exclusive report, Reuters is saying that several other well known retailers were also hacked over the holidays.

Neiman Marcus said an outside forensics firm discovered evidence on January 1 that indicated the retailer had been the victim of a cyber attack. It disclosed the breach nine days later, after another inquiry from Krebs, who was following up on reports about a surge in fraudulent charges traced to the retailer.

Target and J.C. Penney Co Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers.

During his trial the companies were represented by lawyers who did not identify their clients as Target and J.C Penney.

Doug Johnson, vice president of risk management policy with the American Bankers Association, said banks and credit card firms like Visa are forbidden from naming merchants that have been breached, unless they disclose it themselves.

"It is really frustrating to the bank and also the customer," Johnson said.

One of the sources who told Reuters about the recent rash of attacks said the memory parsing malware cited in the Visa reports was among the tools that the hackers had used, but said they used other techniques as well.

Target spokeswoman Molly Snyder said the retailer is not commenting on the company's investigation of the breach.

"This continues to be an active and ongoing investigation. It would be inappropriate to discuss details at this point."

Avivah Litan, a security analyst for Stamford, Connecticut -based Gartner information technology research firm, said she learned about a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator. She declined to provide his name.

"Target was not the only retailer who got hit, but they got hit the biggest," Litan said.

Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers perfect new techniques they then used against Target, stealing payment cards at unprecedented speed, Litan said.

Chris Gray, director of Denver, Colorado -based Accuvant information security firm's risk and compliance practice, said that sophisticated cyber crime groups do that because they only have once chance to get it right before victims catch on.

Investigators believe the attacks originated from eastern Europe, which almost certainly implicates an organized crime ring; Russia, Serbia, Kosovo - take your pick. They're all capable of pulling it off. More importantly from their point of viiew, they have the distribution networks in place to rapidly sell millions of people's information.

I recently had to get a new debit card because the issuing credit card company for my old card was hacked. It doesn't have to be this way. There are several security measures that can be added to cards that make them a lot more secure. The problem is that the changeover would be hugely expensive for everyone; retailers, card companies, and verification firms.

Eventually, we're going to have to weight the costs of transitioning to a new card system against the ability of the hackers to steal our data. A few more hacks like the one that hit target should be convincing enough.

Target has increased the estimate for the number of customers exposed in the massive hacking attack between Thanksgiving and December 14. It now appears at least 70 million consumers had their credit cards compromised.

Also, Neiman-Marcus announced that they, too, were victims of a cyber attack over Christmas. And in an exclusive report, Reuters is saying that several other well known retailers were also hacked over the holidays.

Neiman Marcus said an outside forensics firm discovered evidence on January 1 that indicated the retailer had been the victim of a cyber attack. It disclosed the breach nine days later, after another inquiry from Krebs, who was following up on reports about a surge in fraudulent charges traced to the retailer.

Target and J.C. Penney Co Inc. waited more than two years to admit that they were victims in 2007 of notorious hacker Albert Gonzalez, who was accused of masterminding the theft and reselling of millions of credit cards and ATM numbers.

During his trial the companies were represented by lawyers who did not identify their clients as Target and J.C Penney.

Doug Johnson, vice president of risk management policy with the American Bankers Association, said banks and credit card firms like Visa are forbidden from naming merchants that have been breached, unless they disclose it themselves.

"It is really frustrating to the bank and also the customer," Johnson said.

One of the sources who told Reuters about the recent rash of attacks said the memory parsing malware cited in the Visa reports was among the tools that the hackers had used, but said they used other techniques as well.

Target spokeswoman Molly Snyder said the retailer is not commenting on the company's investigation of the breach.

"This continues to be an active and ongoing investigation. It would be inappropriate to discuss details at this point."

Avivah Litan, a security analyst for Stamford, Connecticut -based Gartner information technology research firm, said she learned about a separate set of breaches, dating back no more than a few months before the November 28 Thanksgiving Day start of the holiday shopping season, from a forensics investigator. She declined to provide his name.

"Target was not the only retailer who got hit, but they got hit the biggest," Litan said.

Investigators believe that the early series of attacks on retailers staged before late November were mostly used as trial attacks to help the hackers perfect new techniques they then used against Target, stealing payment cards at unprecedented speed, Litan said.

Chris Gray, director of Denver, Colorado -based Accuvant information security firm's risk and compliance practice, said that sophisticated cyber crime groups do that because they only have once chance to get it right before victims catch on.

Investigators believe the attacks originated from eastern Europe, which almost certainly implicates an organized crime ring; Russia, Serbia, Kosovo - take your pick. They're all capable of pulling it off. More importantly from their point of viiew, they have the distribution networks in place to rapidly sell millions of people's information.

I recently had to get a new debit card because the issuing credit card company for my old card was hacked. It doesn't have to be this way. There are several security measures that can be added to cards that make them a lot more secure. The problem is that the changeover would be hugely expensive for everyone; retailers, card companies, and verification firms.

Eventually, we're going to have to weight the costs of transitioning to a new card system against the ability of the hackers to steal our data. A few more hacks like the one that hit target should be convincing enough.